Add ChallengeAndVerify and StatelessClient implementations

Author: michaelschattgen

Gotrue/Api.cs

@@ -540,7 +540,6 @@ public ProviderAuthState GetUriForProvider(Provider provider, SignInOptions? opt
 			return Helpers.MakeRequest<Session>(HttpMethod.Post, url.ToString(), body, Headers);
 		}
 
-		
 		/// <inheritdoc />
 		public Task<MfaEnrollResponse?> Enroll(string jwt, MfaEnrollParams mfaEnrollParams)
 		{
@@ -550,7 +549,7 @@ public ProviderAuthState GetUriForProvider(Provider provider, SignInOptions? opt
 				{ "factor_type", mfaEnrollParams.FactorType },
 				{ "issuer", mfaEnrollParams.Issuer }
 			};
-			
+
 			return Helpers.MakeRequest<MfaEnrollResponse>(HttpMethod.Post, $"{Url}/factors", body, CreateAuthedRequestHeaders(jwt));
 		}
 
@@ -559,7 +558,7 @@ public ProviderAuthState GetUriForProvider(Provider provider, SignInOptions? opt
 		{
 			return Helpers.MakeRequest<MfaChallengeResponse>(HttpMethod.Post, $"{Url}/factors/{mfaChallengeParams.FactorId}/challenge", null, CreateAuthedRequestHeaders(jwt));
 		}
-		
+
 		/// <inheritdoc />
 		public Task<MfaVerifyResponse?> Verify(string jwt, MfaVerifyParams mfaVerifyParams)
 		{
@@ -568,16 +567,16 @@ public ProviderAuthState GetUriForProvider(Provider provider, SignInOptions? opt
 				{ "code", mfaVerifyParams.Code },
 				{ "challenge_id", mfaVerifyParams.ChallengeId }
 			};
-			
+
 			return Helpers.MakeRequest<MfaVerifyResponse>(HttpMethod.Post, $"{Url}/factors/{mfaVerifyParams.FactorId}/verify", body, CreateAuthedRequestHeaders(jwt));
 		}
-		
+
 		/// <inheritdoc />
 		public Task<MfaUnenrollResponse?> Unenroll(string jwt, MfaUnenrollParams mfaUnenrollParams)
 		{
 			return Helpers.MakeRequest<MfaUnenrollResponse>(HttpMethod.Delete, $"{Url}/factors/{mfaUnenrollParams.FactorId}", null, CreateAuthedRequestHeaders(jwt));
 		}
-		
+
 		/// <inheritdoc />
 		public async Task<ProviderAuthState> LinkIdentity(string token, Provider provider, SignInOptions options)
 		{

Gotrue/Client.cs

@@ -37,7 +37,7 @@ public class Client : IGotrueClient<User, Session>
 		/// Object called to persist the session (e.g. filesystem or cookie)
 		/// </summary>
 		private IGotruePersistenceListener<Session>? _sessionPersistence;
-		
+
 		/// <summary>
 		/// Get the TokenRefresh object, if it exists
 		/// </summary>
@@ -762,7 +762,7 @@ public void Shutdown()
 
 			if (!Online)
 				throw new GotrueException("Only supported when online", Offline);
-			
+
 			return await _api.Enroll(CurrentSession.AccessToken, mfaEnrollParams);
 		}
 
@@ -774,7 +774,7 @@ public void Shutdown()
 
 			if (!Online)
 				throw new GotrueException("Only supported when online", Offline);
-			
+
 			return await _api.Challenge(CurrentSession.AccessToken, mfaChallengeParams);
 		}
 
@@ -788,10 +788,54 @@ public void Shutdown()
 				throw new GotrueException("Only supported when online", Offline);
 
 			var result =  await _api.Verify(CurrentSession.AccessToken, mfaVerifyParams);
-			
+
+			if (result == null || string.IsNullOrEmpty(result.AccessToken))
+				throw new GotrueException("Could not verify MFA.", MfaChallengeUnverified);
+
+			var session = new Session
+			{
+				AccessToken = result.AccessToken,
+				RefreshToken = result.RefreshToken,
+				TokenType = "bearer",
+				ExpiresIn = result.ExpiresIn,
+				User = result.User
+			};
+
+			UpdateSession(session);
+			NotifyAuthStateChange(MfaChallengeVerified);
+
+			return session;
+		}
+
+		/// <inheritdoc />
+		public async Task<Session?> ChallengeAndVerify(MfaChallengeAndVerifyParams mfaChallengeAndVerifyParams)
+		{
+			if (CurrentSession == null || string.IsNullOrEmpty(CurrentSession.AccessToken))
+				throw new GotrueException("Not Logged in.", NoSessionFound);
+
+			if (!Online)
+				throw new GotrueException("Only supported when online", Offline);
+
+			var challengeResponse = await _api.Challenge(CurrentSession.AccessToken, new MfaChallengeParams
+			{
+				FactorId = mfaChallengeAndVerifyParams.FactorId
+			});
+
+			if (challengeResponse == null)
+			{
+				return null;
+			}
+
+			var result =  await _api.Verify(CurrentSession.AccessToken, new MfaVerifyParams
+			{
+				FactorId = mfaChallengeAndVerifyParams.FactorId,
+				Code = mfaChallengeAndVerifyParams.Code,
+				ChallengeId = challengeResponse.Id
+			});
+
 			if (result == null || string.IsNullOrEmpty(result.AccessToken))
 				throw new GotrueException("Could not verify MFA.", MfaChallengeUnverified);
-			
+
 			var session = new Session
 			{
 				AccessToken = result.AccessToken,
@@ -800,10 +844,10 @@ public void Shutdown()
 				ExpiresIn = result.ExpiresIn,
 				User = result.User
 			};
-			
+
 			UpdateSession(session);
 			NotifyAuthStateChange(MfaChallengeVerified);
-			
+
 			return session;
 		}
 
@@ -815,10 +859,10 @@ public void Shutdown()
 
 			if (!Online)
 				throw new GotrueException("Only supported when online", Offline);
-			
+
 			return  await _api.Unenroll(CurrentSession.AccessToken, mfaUnenrollParams);
 		}
-		
+
 		/// <inheritdoc />
 		public Task<MfaListFactorsResponse?> ListFactors()
 		{
@@ -838,14 +882,14 @@ public void Shutdown()
 		{
 			if (CurrentSession == null || string.IsNullOrEmpty(CurrentSession.AccessToken))
 				throw new GotrueException("Not Logged in.", NoSessionFound);
-			
+
 			var payload = new JwtSecurityTokenHandler().ReadJwtToken(CurrentSession.AccessToken).Payload;
 
 			if (payload == null || payload.ValidTo == DateTime.MinValue)
 				throw new GotrueException("`accessToken`'s payload was of an unknown structure.", NoSessionFound);
 
 			AuthenticatorAssuranceLevel? currentLevel = null;
-			
+
 			if (payload.ContainsKey("aal"))
 			{
 				currentLevel = Enum.TryParse(payload["aal"].ToString(), out AuthenticatorAssuranceLevel parsedLevel) ? parsedLevel : (AuthenticatorAssuranceLevel?)null;
@@ -867,7 +911,7 @@ public void Shutdown()
 				NextLevel = nextLevel,
 				CurrentAuthenticationMethods = currentAuthenticationMethods.ToArray()
 			};
-			
+
 			return Task.FromResult(response);
 		}
 	}

Gotrue/Interfaces/IGotrueClient.cs

@@ -464,7 +464,7 @@ public interface IGotrueClient<TUser, TSession> : IGettableHeaders
 		/// </summary>
 		/// <returns></returns>
 		public Task RefreshToken();
-		
+
 		#region MFA
 		/**
 		 * Starts the enrollment process for a new Multi-Factor Authentication (MFA)
@@ -490,6 +490,12 @@ public interface IGotrueClient<TUser, TSession> : IGettableHeaders
 		 */
 		Task<Session?> Verify(MfaVerifyParams mfaVerifyParams);
 
+		/**
+		 * Helper method which creates a challenge and immediately uses the given code to verify against it thereafter. The verification code is
+		 * provided by the user by entering a code seen in their authenticator app.
+		 */
+		Task<Session?> ChallengeAndVerify(MfaChallengeAndVerifyParams mfaChallengeAndVerifyParams);
+
 		/**
 		 * Unenroll removes a MFA factor.
 		 * A user has to have an `aal2` authenticator level in order to unenroll a `verified` factor.

Gotrue/Interfaces/IGotrueStatelessClient.cs

@@ -264,7 +264,62 @@ public interface IGotrueStatelessClient<TUser, TSession>
         /// <param name="options"></param>
         /// <returns></returns>
         Task<Settings?> Settings(StatelessClientOptions options);
-        
+
+
+        /// <summary>
+        /// Starts the enrollment process for a new Multi-Factor Authentication (MFA)
+        /// factor. This method creates a new `unverified` factor.
+        /// To verify a factor, present the QR code or secret to the user and ask them to add it to their
+        /// authenticator app.
+        /// The user has to enter the code from their authenticator app to verify it.
+        ///
+        /// Upon verifying a factor, all other sessions are logged out and the current session's authenticator level is promoted to `aal2`.
+        /// </summary>
+        /// <param name="jwt"></param>
+        /// <param name="mfaEnrollParams"></param>
+        /// <param name="options"></param>
         Task<MfaEnrollResponse?> Enroll(string jwt, MfaEnrollParams mfaEnrollParams, StatelessClientOptions options);
+
+        /// <summary>
+        /// Prepares a challenge used to verify that a user has access to a MFA
+        /// factor.
+        /// </summary>
+        /// <param name="jwt"></param>
+        /// <param name="mfaChallengeParams"></param>
+        /// <param name="options"></param>
+        Task<MfaChallengeResponse?> Challenge(string jwt, MfaChallengeParams mfaChallengeParams, StatelessClientOptions options);
+
+        /// <summary>
+        /// Verifies a code against a challenge. The verification code is
+        /// provided by the user by entering a code seen in their authenticator app. </summary>
+        /// <param name="jwt"></param>
+        /// <param name="mfaVerifyParams"></param>
+        /// <param name="options"></param>
+        Task<MfaVerifyResponse?> Verify(string jwt, MfaVerifyParams mfaVerifyParams, StatelessClientOptions options);
+
+        /// <summary>
+        /// Helper method which creates a challenge and immediately uses the given code to verify against it thereafter. The verification code is
+        /// provided by the user by entering a code seen in their authenticator app.
+        /// </summary>
+        /// <param name="jwt"></param>
+        /// <param name="mfaChallengeAndVerifyParams"></param>
+        /// <param name="options"></param>
+        Task<MfaVerifyResponse?> ChallengeAndVerify(string jwt, MfaChallengeAndVerifyParams mfaChallengeAndVerifyParams, StatelessClientOptions options);
+
+        /// <summary>
+        /// Unenroll removes a MFA factor.
+        /// A user has to have an `aal2` authenticator level in order to unenroll a `verified` factor.
+        /// </summary>
+        /// <param name="jwt"></param>
+        /// <param name="mfaUnenrollParams"></param>
+        /// <param name="options"></param>
+        Task<MfaUnenrollResponse?> Unenroll(string jwt, MfaUnenrollParams mfaUnenrollParams, StatelessClientOptions options);
+
+        /// <summary>
+        /// Returns the list of MFA factors enabled for this user
+        /// </summary>
+        /// <param name="jwt"></param>
+        /// <param name="options"></param>
+        Task<MfaListFactorsResponse?> ListFactors(string jwt, StatelessClientOptions options);
     }
 }

Gotrue/Mfa/Factor.cs

@@ -7,19 +7,19 @@ public class Factor
 	{
 		[JsonProperty("id")]
 		public string Id { get; set; }
-		
+
 		[JsonProperty("friendly_name")]
 		public string? FriendlyName { get; set; }
-		
+
 		[JsonProperty("factor_type")]
 		public string FactorType { get; set; }
-		
+
 		[JsonProperty("status")]
 		public string Status { get; set; }
-		
+
 		[JsonProperty("created_at")]
 		public DateTime CreatedAt { get; set; }
-		
+
 		[JsonProperty("updated_at")]
 		public DateTime UpdatedAt { get; set; }
 	}

Gotrue/Mfa/MfaChallengeAndVerifyParams.cs

@@ -0,0 +1,8 @@
+namespace Supabase.Gotrue.Mfa
+{
+	public class MfaChallengeAndVerifyParams
+	{
+		public string FactorId { get; set; }
+		public string Code { get; set; }
+	}
+}

Gotrue/Mfa/MfaChallengeResponse.cs

@@ -7,7 +7,7 @@ public class MfaChallengeResponse
 		// ID of the newly created challenge.
 		[JsonProperty("id")]
 		public string Id { get; set; }
-		
+
 		[JsonProperty("expires_at")]
 		public long ExpiresAt { get; set; }
 	}

Gotrue/Mfa/MfaEnrollResponse.cs

@@ -7,7 +7,7 @@ public class MfaEnrollResponse
 		// ID of the factor that was just enrolled (in an unverified state).
 		[JsonProperty("id")]
 		public string Id { get; set; }
-		
+
 		// Type of MFA factor. Only `totp` supported for now.
 		[JsonProperty("type")]
 		public string Type { get; set; }

Gotrue/Mfa/MfaListFactorsResponse.cs

@@ -6,7 +6,7 @@ public class MfaListFactorsResponse
 	{
 		// All available factors (verified and unverified)
 		public List<Factor> All { get; set; }
-		
+
 		// Only verified TOTP factors. (A subset of `all`.)
 		public List<Factor> Totp { get; set; }
 	}

Gotrue/Mfa/MfaResponse.cs

@@ -4,10 +4,10 @@ public class MfaVerifyParams
 	{
 		// ID of the factor being verified. Returned in enroll()
 		public string FactorId { get; set; }
-		
+
 		// ID of the challenge being verified. Returned in challenge()
 		public string ChallengeId { get; set; }
-		
+
 		// Verification code provided by the user
 		public string Code { get; set; }
 	}

Gotrue/Mfa/MfaVerifyParams.cs

@@ -7,19 +7,19 @@ public class MfaVerifyResponse
 		// New access token (JWT) after successful verification
 		[JsonProperty("access_token")]
 		public string AccessToken { get; set; }
-		
+
 		//  Type of token, typically `Bearer`
 		[JsonProperty("token_type")]
 		public string TokenType { get; set; }
-		
+
 		// Number of seconds in which the access token will expire
 		[JsonProperty("expires_in")]
 		public int ExpiresIn { get; set; }
-		
+
 		// Refresh token you can use to obtain new access tokens when expired
 		[JsonProperty("refresh_token")]
 		public string RefreshToken { get; set; }
-		
+
 		// Updated user profile
 		[JsonProperty("user")]
 		public User User { get; set; }